Ransomeware as a service and affiliate based organized crime
A good measure of a society is not just how it treats its most vulnerable, but also how it responds in a crisis. When there is little faith or trust in institutions, people are more prone to panic and focus on their perceived self-interest.
Witness the response to a ransomware induced gas shortage:
Don’t be this woman and man from Alabama.
It’s panic buying.
& in this case (below) It’s dangerous.
There is fuel.
It’s just a matter of getting it to where it needs to go.
If you don’t need gas don’t go get it. pic.twitter.com/cQlb8NVP2W
— David Begnaud (@DavidBegnaud) May 12, 2021
I filled up some bags with gas and stuck them in my trunk and, you’re not going to believe this, but they were gone when I got home. The bags were there but no gas 🤷♂️ pic.twitter.com/J7Zen6SOH3
— 1781™ (@July041776) May 13, 2021
2020 PSA: Don’t inject bleach
2021 PSA: Don’t fill bags w/ gas. pic.twitter.com/qcBmxpVdWa
— Jason Pizzo (@senpizzo) May 12, 2021
Significant stupidity aside, this episode was both an exercise in fragile psychology, as well as a demonstration of how vulnerable our infrastructure is to cyber attack.
In this case, ironically, the attackers did not want to inflict actual damage or harm, they just wanted to get paid.
Yet what makes this story even more fascinating, is the organization, or rather platform that made this successful attack possible.
Here's a closer look at DarkSide, the relatively new ransomware-as-a-service platform that's been holding 5,500 miles of fuel pipeline hostage. Story includes negotiations btwn DarkSide & a $15B victim that recently negotiated a $30M demand down to $11M. https://t.co/Fapvw9vzhJ
— briankrebs (@briankrebs) May 11, 2021
“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives [sic],” reads an update to the DarkSide Leaks blog. “Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
First surfacing on Russian language hacking forums in August 2020, DarkSide is a ransomware-as-a-service platform that vetted cybercriminals can use to infect companies with ransomware and carry out negotiations and payments with victims. DarkSide says it targets only big companies, and forbids affiliates from dropping ransomware on organizations in several industries, including healthcare, funeral services, education, public sector and non-profits.
Like other ransomware platforms, DarkSide adheres to the current badguy best practice of double extortion, which involves demanding separate sums for both a digital key needed to unlock any files and servers, and a separate ransom in exchange for a promise to destroy any data stolen from the victim.
At its launch, DarkSide sought to woo affiliates from competing ransomware programs by advertising a victim data leak site that gets “stable visits and media coverage,” as well as the ability to publish victim data by stages.
For those of you who may not be familiar with the computer criminal economy, it is remarkably sophisticated, in many respects, mirrors it’s legitimate equivalent.
Talented programmers are sought after, recruited, and offered perks and supports to do their work. Creating markets for stolen data, credentials, and exploits. Yet in this case, also creating platforms to successfully attack and extort targets.
Consider this a new kind of organized crime that is both less organized than traditional criminal syndicates in that identities are often anonymous or pseudonymous, and yet more organized due to the way they employ online systems and platforms.
Researchers had seen these dynamics for decades as part of malware and other software markets. However this software as a service model is relatively new.
In late March, DarkSide introduced a “call service” innovation that was integrated into the affiliate’s management panel, which enabled the affiliates to arrange calls pressuring victims into paying ransoms directly from the management panel.
In mid-April the ransomware program announced new capability for affiliates to launch distributed denial-of-service (DDoS) attacks against targets whenever added pressure is needed during ransom negotiations.
DarkSide also has advertised a willingness to sell information about upcoming victims before their stolen information is published on the DarkSide victim shaming blog, so that enterprising investment scammers can short the company’s stock in advance of the news.
These are smart and well thought out scams, although that doesn’t seem like the right word. Campaigns and strategies seems more appropriate.
Like other hacks or cybersecurity incidents that have made headlines of late, there is often the air of foreign state based intelligence agencies, or at least vague associations.
Pro tip for the "but how do we protect ourselves?" folks. DarkSide ransomware, like many other strains, will not install on systems where certain Cyrillic keyboard and other scripts are already installed. So, install the Russian keyboard. You don't have to use it.
— briankrebs (@briankrebs) May 11, 2021
Explicit links are not there, but strategic overlap certainly is.
People discussing the relationship between ransomware teams and the Russian government should probably keep @Jason_Healey's "Spectrum of National Responsibility" in mind.
Right now, it looks like the Darkside group that attacked Colonial is at least "State-Encouraged". pic.twitter.com/ZLxpw7aKfb
— Alex Stamos (@alexstamos) May 10, 2021
In addition to Brian Krebs, the smart folks at FireEye have also published an analysis of how this group operates, and the kinds of activities they’re believed to be engaged in.
DARKSIDE is in the headlines, but it’s not a monolithic group. @thinkpoison, @tiskimber, @JWilsonSecurity, @ramen0x3f, @malwaresoup take you through some of what @Mandiant knows about it. #threatintel #dfir https://t.co/x8ycblG1vw
— Andrew Thompson (@anthomsec) May 11, 2021
Since initially surfacing in August 2020, the creators of DARKSIDE ransomware and their affiliates have launched a global crime spree affecting organizations in more than 15 countries and multiple industry verticals. Like many of their peers, these actors conduct multifaceted extortion where data is both exfiltrated and encrypted in place, allowing them to demand payment for unlocking and the non-release of stolen data to exert more pressure on victims.
The origins of these incidents are not monolithic. DARKSIDE ransomware operates as a ransomware-as-a-service (RaaS) wherein profit is shared between its owners and partners, or affiliates, who provide access to organizations and deploy the ransomware. Mandiant currently tracks multiple threat clusters that have deployed this ransomware, which is consistent with multiple affiliates using DARKSIDE. These clusters demonstrated varying levels of technical sophistication throughout intrusions. While the threat actors commonly relied on commercially available and legitimate tools to facilitate various stages of their operations, at least one of the threat clusters also employed a now patched zero-day vulnerability.
This shared affiliate model is interesting, not just because it offers a model of computer based organized crime, but a talent recruitment, management, and incentivization process.
If anything it is a kind of silicon valley approach to organized crime, albeit with slavic influences.
Excellent analysis by @FireEye into Darkside #ransomware – where "affiliates are required to pass an interview after which they are provided access to an administration panel" https://t.co/gusfffcafZ #malware #cybersecurity #infosec pic.twitter.com/RPMI5ODntU
— Raj Samani (@Raj_Samani) May 12, 2021
DARKSIDE RaaS affiliates are required to pass an interview after which they are provided access to an administration panel (Figure 2). Within this panel, affiliates can perform various actions such as creating a ransomware build, specifying content for the DARKSIDE blog, managing victims, and contacting support. Mandiant has identified at least five Russian-speaking actors who may currently, or have previously, been DARKSIDE affiliates. Relevant advertisements associated with a portion of these threat actors have been aimed at finding either initial access providers or actors capable of deploying ransomware on accesses already obtained.
This provides a potent combination of distributed actors using a centralized resource that offers the latest tactics and methods for infiltration and extortion.
An important note here – not all DarkSide intrusions are the same! Because it's Ransomware as a Service (RaaS), it makes sense that these clusters could represent different affiliates. pic.twitter.com/LYzkuNORUP
— Katie Nickels (@likethecoins) May 11, 2021
Also worth remembering that most successful ransomware attacks are not reported publicly. In this case the hack of the pipeline resulted in sensational news, but the reality is that most victims would prefer to remain anonymous.
Given what we’re learning about this platform, it is clearly enabling a scale and effectiveness that most targets and people underestimate.
DARKSIDE operates as a ransomware-as-a-service (RaaS) affiliate program. @Mandiant tracks multiple threat clusters that have deployed DARKSIDE, with varying levels of technical sophistication.
— FireEye (@FireEye) May 11, 2021
Although I think we’re all kind of guilty of underestimating just how much herd psychology combined with stupidity can get us:
This idiot in a MAGA hat in front of me at the gas station has filled up about 30 water bottles and 3 cardboard boxes up with gas… dear lord pic.twitter.com/FYFw53Ft5E
— Nick Roberts (@nickroberts317) May 13, 2021
I knew I'd seen this somewhere before… https://t.co/5pXFZsY2fM
— Kevin Ray🗽 (@KevinRay62) May 13, 2021
This is what happens when you fill 5 gas cans, put them in your car, then light a cigarette. Happened in Florida where the pipeline likely would have had no effect on supply. pic.twitter.com/0vAlEA1k9T
— TheDaily (@StopTheCriminal) May 13, 2021